Subscribe for only $15 to access all of our content

#91: Filtering Parameters in Phoenix

Phoenix 1.4


Currently when a user registers for our site they enter some information about themselves, like their name, date of birth, and secret phrase they can use in case they get locked out of their account, in additional to their email and password. If we look at the logs for when a user is created.

  Parameters: %{"registration" => %{"dob" => "01/01/1990", "email" => "hello@elixircasts.io", "encrypted_password" => "[FILTERED]", "secret_phrase" => "top secret", "username" => "alekx"}}

We see that by default Phoenix filters out the password. However, we still have some sensitive information like the date of birth and the secret phrase included. Phoenix makes it easy to filter out sensitive data like this, so let’s update our application to do just that.

We’ll open our config.exs and Phoenix gives us two ways to configure what parameters we filter. The first way is to select what parameters we want to filter - this allows any others not specified to still appear in our logs. To do that we’ll add config :phoenix with the :filter_parameters option and then a list of the parameters we want to include, let’s filter out the “dob” and the “secret_phrase”, and since we’re including it here we’ll need to remember to include “password” in our list if we want to continue to have it filtered.

config/config.exs

...
config :phoenix, :filter_parameters, ["dob", "secret_phrase", "password"]
...

We’ll need to restart server since we changed the config.exs.

$ mix phx.server
...

Then if we create another user and look at the logs again.

  Parameters: %{ ... "registration" => %{"dob" => "[FILTERED]", "email" => "user2@elixircasts.io", "encrypted_password" => "[FILTERED]", "secret_phrase" => "[FILTERED]", "username" => "bill"}}

We see that the parameters we specified: dob, secret_phrase, and password are being filtered out.

Now let’s look at the other way to filter parameters. We’ll go back to our config.exs and instead of specifying what parameters we want filtered here, we can do the opposite and specify the parameters we want to show.

Let’s change our filter_parameters option and instead of a list we’ll use a two element tuple, where the first element is the atom :keep and the second is a list of the parameters we don’t want filtered in our logs. All parameters not specified here will be filtered.

config/config.exs

...
config :phoenix, :filter_parameters, {:keep, ["username"]}
...

Then we’ll restart the server again.

$ mix phx.server
...

And if we create another user and go to our logs, we see only the “username” is not filtered in our params.

  Parameters: %{ ... "registration" => %{"dob" => "[FILTERED]", "email" => "[FILTERED]", "encrypted_password" => "[FILTERED]", "secret_phrase" => "[FILTERED]", "username" => "Jill"}}

More Episodes

#100: Multiple Room Chat Application

In this episode we’ll build a chat application that has multiple chat rooms. The rooms will be created dynamically from the URL and will use Phoenix Channels to provide realtime functionality.

Watch episode
Alchemist's Edition

#99: OTP backed Web Application Part 2

In part 2 we’ll update our application to allow users to add cryptocurrencies from the UI. Once added, we’ll display the cryptocurrency and update pricing every minute using a GenServer.

Watch episode
Alchemist's Edition

#98: OTP backed Web Application Part 1

In part one of this series we’ll lay the foundation for our application. First we’ll see how we can fetch cryptocurrency prices. Then we’ll create a GenServer to store the prices and add it to our supervision tree.

Watch episode